{"id":190488,"date":"2021-08-02T12:00:16","date_gmt":"2021-08-02T11:00:16","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=190488"},"modified":"2021-07-30T05:30:20","modified_gmt":"2021-07-30T04:30:20","slug":"how-to-defend-yourself-against-the-powerful-new-nso-spyware-attacks-discovered-around-the-world","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2021\/08\/how-to-defend-yourself-against-the-powerful-new-nso-spyware-attacks-discovered-around-the-world\/","title":{"rendered":"How to Defend Yourself against the Powerful New NSO Spyware Attacks Discovered Around the World"},"content":{"rendered":"<blockquote>\n<p class=\"Post-excerpt\" data-reactid=\"177\"><em>Even iPhones were vulnerable to the surveillance software, which appears to have been used against activists, journalists, and others.<\/em><\/p>\n<\/blockquote>\n<div id=\"attachment_190489\" style=\"width: 460px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2021\/07\/journalist-malware-theintercept-pegasus-nso-israel-spy-bb.webp\" ><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-190489\" class=\"wp-image-190489\" src=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2021\/07\/journalist-malware-theintercept-pegasus-nso-israel-spy-bb-1024x512.webp\" alt=\"\" width=\"450\" height=\"225\" srcset=\"https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2021\/07\/journalist-malware-theintercept-pegasus-nso-israel-spy-bb-1024x512.webp 1024w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2021\/07\/journalist-malware-theintercept-pegasus-nso-israel-spy-bb-300x150.webp 300w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2021\/07\/journalist-malware-theintercept-pegasus-nso-israel-spy-bb-768x384.webp 768w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2021\/07\/journalist-malware-theintercept-pegasus-nso-israel-spy-bb-1536x768.webp 1536w, https:\/\/www.transcend.org\/tms\/wp-content\/uploads\/2021\/07\/journalist-malware-theintercept-pegasus-nso-israel-spy-bb.webp 2000w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><\/a><p id=\"caption-attachment-190489\" class=\"wp-caption-text\">Illustration: Soohee Cho\/The Intercept<\/p><\/div>\n<p><em>27 Jul 2021 &#8211; <\/em>An international group of journalists this month <a target=\"_blank\" href=\"https:\/\/www.theguardian.com\/world\/2021\/jul\/18\/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus\" >detailed <\/a><a target=\"_blank\" href=\"https:\/\/www.theguardian.com\/world\/2021\/jul\/18\/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus\" >extensive<\/a> new <a target=\"_blank\" href=\"https:\/\/www.theguardian.com\/world\/2021\/jul\/18\/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus\" >evidence<\/a> that spyware made by Israeli company NSO Group was used against activists, business executives, journalists, and lawyers around the world. Even Apple\u2019s iPhone, frequently lauded for its tight security, was found to be \u201c<a target=\"_blank\" href=\"https:\/\/www.washingtonpost.com\/technology\/2021\/07\/19\/apple-iphone-nso\" >no match<\/a>\u201d for the surveillance software, leading Johns Hopkins cryptographer Matthew Green to fret that the NSO revelations had led some hacking experts to descend into a posture of \u201c<a target=\"_blank\" href=\"https:\/\/blog.cryptographyengineering.com\/2021\/07\/20\/a-case-against-security-nihilism\/\" >security nihilism<\/a>.\u201d<\/p>\n<div class=\"PostContent\" data-reactid=\"209\">\n<div data-reactid=\"221\">\n<p>Security nihilism is the idea that digital attacks have grown so sophisticated that there\u2019s nothing to be done to prevent them from happening or to blunt their impact. That sort of conclusion would be a mistake. For one thing, it plays into the hands of malicious hackers, who would love nothing more than for targets to stop trying to defend themselves. It\u2019s also mistaken factually: You <i>can<\/i> defend yourself against NSO\u2019s spyware \u2014 for example, by following operational security techniques like not clicking unknown links, practicing device compartmentalization (such as using separate devices for separate apps), and having a virtual private network, or VPN, on mobile devices. Such techniques are effective against any number of digital attacks and thus useful even if NSO Group turns out to be correct in its <a target=\"_blank\" href=\"https:\/\/zetter.substack.com\/p\/the-nso-surveillance-list-what-it\" >claim that the purported evidence against the company is not valid<\/a>.<\/p>\n<\/div>\n<div data-reactid=\"223\">\n<p>There may be no such thing as perfect security, as one classic adage in the field states, but that\u2019s no excuse for passivity. Here, then, are practical steps you can take to reduce your \u201cattack surface\u201d and protect yourself against spyware like NSO\u2019s.<\/p>\n<h3>Pegasus Offers \u201cUnlimited Access to Target\u2019s Mobile Devices\u201d<\/h3>\n<p>The recent revelations concern a specific NSO spyware product known as Pegasus. They follow extensive prior studies of the company\u2019s software from entities like <a target=\"_blank\" href=\"https:\/\/citizenlab.ca\/tag\/nso-group\/\" >the Citizen Lab<\/a>, <a target=\"_blank\" href=\"https:\/\/www.amnesty.org\/en\/latest\/research\/2019\/10\/Morocco-Human-Rights-Defenders-Targeted-with-NSO-Groups-Spyware\/\" >Amnesty International<\/a>, <a target=\"_blank\" href=\"https:\/\/articulo19.org\/wp-content\/uploads\/2017\/06\/Reporte-Gobierno-Espi%CC%81a-Final.pdf\" >Article 19, R3D, and SocialTIC<\/a>. Here\u2019s what we know about Pegasus specifically.<\/p>\n<p>The software\u2019s capabilities were outlined in what appears to be a <a target=\"_blank\" href=\"https:\/\/www.documentcloud.org\/documents\/4599753-NSO-Pegasus.html\" >promotional brochure<\/a> from NSO Group dating to <a target=\"_blank\" href=\"https:\/\/wikileaks.org\/hackingteam\/emails\/emailid\/5391\" >2014<\/a> or earlier and made available when WikiLeaks published a <a target=\"_blank\" href=\"https:\/\/wikileaks.org\/hackingteam\/emails\/\" >trove of emails<\/a> related to a different spyware firm, Italy\u2019s Hacking Team. The brochure\u2019s authenticity cannot be confirmed, and NSO has said it is not commenting further on Pegasus. But the document markets Pegasus aggressively, saying it provides \u201cunlimited access to target\u2019s mobile devices\u201d and allows clients to \u201cremotely and covertly collect information about your target\u2019s relationships, location, phone calls, plans and activities \u2014 whenever and wherever they are.\u201d The brochure also states the Pegasus can:<\/p>\n<ul>\n<li>Monitor voice and VoIP calls in real-time.<\/li>\n<li>Siphon contacts, passwords, files, and encrypted content from the phone.<\/li>\n<li>Operate as an \u201cenvironmental wiretap,\u201d listening through the microphone.<\/li>\n<li>Monitor communications through apps like WhatsApp, Facebook, Skype, Blackberry Messenger, and Viber.<\/li>\n<li>Track the phone\u2019s location via GPS.<\/li>\n<\/ul>\n<p>For all the hype, Pegasus is, however, just a glorified version of an old type of malware known as a Remote Access Trojan, or RAT: a program that allows an unauthorized party full access over a target device. In other words, while Pegasus may be potent, the security community knows well how to defend against this type of threat.<\/p>\n<p>Let\u2019s look at the different ways Pegasus can potentially infect phones \u2014 its various \u201cagent installation vectors,\u201d in the brochure\u2019s own vernacular \u2014 and how to defend against each one.<\/p>\n<h3>Dodging Social Engineering Clickbait<\/h3>\n<p>There are numerous examples in reports of Pegasus attacks of journalists and human rights defenders receiving <a target=\"_blank\" href=\"https:\/\/citizenlab.ca\/2020\/01\/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator\/\" >SMS<\/a> and <a target=\"_blank\" href=\"https:\/\/www.amnesty.org\/en\/latest\/research\/2018\/08\/amnesty-international-among-targets-of-nso-powered-campaign\/\" >WhatsApp<\/a> bait messages enjoining them to click malicious links. The links download spyware that lodges into devices through security holes in browsers and operating systems. This attack vector is called an Enhanced Social Engineer Message, or ESEM, in the leaked brochure. It states that \u201cthe chances that the target will click the link are totally dependent on the level of content credibility. The Pegasus solution provides a wide range of tools to compose a tailored and innocent message to lure the target to open the message.\u201d<\/p>\n<\/div>\n<blockquote class=\"Pullquote Pullquote--right\" data-reactid=\"224\">\n<div data-reactid=\"226\"><em><strong>\u201cThe chances that the target will click the link are totally dependent on the level of content credibility.\u201d<\/strong><\/em><\/div>\n<\/blockquote>\n<div data-reactid=\"227\">\n<p>As the Committee to Protect Journalists has <a target=\"_blank\" href=\"https:\/\/cpj.org\/2019\/11\/cpj-safety-advisory-journalist-targets-of-pegasus\/\" >detailed<\/a>, ESEM bait messages linked to Pegasus fall into various categories. Some claim to be from established organizations like banks, embassies, news agencies, or parcel delivery services. Others relate to personal matters, like work or alleged evidence of infidelity, or claim that the targeted person is facing some immediate security risk.<\/p>\n<p>Future ESEM attacks may use different types of bait messages, which is why it\u2019s important to treat any correspondence that tries to convince you to perform a digital action with caution. Here are some examples of what that means in practice:<\/p>\n<ul>\n<li>If you receive a message with a link, particularly if it includes a sense of urgency (stating a package is about to arrive or that your credit card is going to be charged), avoid the impulse to immediately click on it.<\/li>\n<li>If you trust the linked site, type out the link\u2019s web address manually.<\/li>\n<li>If going to a website you frequently visit, save that website in a bookmark folder and only access the site from the link in your folder.<\/li>\n<li>If you decide you\u2019re going to click a link rather than typing it out or visiting the site via bookmark, at least scrutinize the link to confirm that it is pointing to a website you are familiar with. And remember that it\u2019s possible you will still be fooled: Some phishing links use similar-looking letters from a non-English character set, in what is known as a <a target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/IDN_homograph_attack\" >homograph attack<\/a>. For example, a Cyrillic \u201c\u041e\u201d might be used to mimic the usual Latin \u201cO\u201d we see in English.<\/li>\n<li>If the link appears to be a shortened URL, use a URL expander service such as <a target=\"_blank\" href=\"https:\/\/urlex.org\/\" >URL Expander<\/a> or <a target=\"_blank\" href=\"https:\/\/www.expandurl.net\/\" >ExpandURL<\/a> to reveal the actual, long link it points to before clicking.<\/li>\n<li>Before you click a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.<\/li>\n<li>Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in a <a target=\"_blank\" href=\"https:\/\/www.google.com\/search?tbm=shop&amp;q=phone+faraday+bag\" >Faraday bag<\/a> when not in use \u2014 or at least away from where you have sensitive conversations (a good idea even if it\u2019s in a Faraday bag).<\/li>\n<li>Use nondefault browsers. According to a section titled \u201cInstallation Failure\u201d in the leaked Pegasus brochure, installation may fail if the target is running an <a target=\"_blank\" href=\"https:\/\/www.documentcloud.org\/documents\/4599753-NSO-Pegasus.html#document\/p15\/a437978\" >unsupported browser<\/a> and in particular a browser other than \u201cthe default browser of the device.\u201d But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.<\/li>\n<li>If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.<\/li>\n<\/ul>\n<h3>Thwarting Network Injection Attacks<\/h3>\n<p>Another way Pegasus <a target=\"_blank\" href=\"https:\/\/www.amnesty.org\/en\/latest\/research\/2019\/10\/Morocco-Human-Rights-Defenders-Targeted-with-NSO-Groups-Spyware\/\" >infected<\/a> devices in multiple <a target=\"_blank\" href=\"https:\/\/www.amnesty.org\/en\/latest\/research\/2020\/06\/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools\/\" >cases<\/a> was by intercepting a phone\u2019s network traffic using what\u2019s known as a man-in-the-middle, or\u00a0<a target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle_attack\" >MITM<\/a>,\u00a0attack, in which Pegasus intercepted unencrypted network traffic, like HTTP web requests, and redirected it toward malicious payloads. Pulling this off entailed either tricking the phone into connecting to a rogue portable device which pretends to be a cell tower nearby or gaining access to the target\u2019s cellular carrier (plausible if the target is in a repressive regime where the government provides telecommunication services). This attack worked even if the phone was in mobile data-only mode, and not connected to Wi-Fi.<\/p>\n<p>When <a target=\"_blank\" href=\"https:\/\/www.amnesty.org\/en\/latest\/research\/2019\/10\/Morocco-Human-Rights-Defenders-Targeted-with-NSO-Groups-Spyware\/\" >Maati Monjib<\/a>, the co-founder of the Freedom Now NGO and the Moroccan Association for Investigative Journalism, opened the iPhone Safari browser and typed yahoo.fr, Safari first tried going to http:\/\/yahoo.fr. Normally this would have redirected to https:\/\/fr.yahoo.com, an encrypted connection. But since Monjib\u2019s connection was being intercepted, it instead redirected to a malicious third-party site which ultimately hacked his phone.<\/p>\n<\/div>\n<blockquote class=\"Pullquote Pullquote--left\" data-reactid=\"228\">\n<div data-reactid=\"230\"><strong><em>Typing just the website domain into a browser opens you to attacks, because your browser will attempt an unencrypted connection to the site.<\/em><\/strong><\/div>\n<\/blockquote>\n<div data-reactid=\"231\">\n<p>Typing just the website domain (such as yahoo.fr) into a browser address bar without specifying a protocol (such as https:\/\/) opens the possibility for MITM attacks, because your browser by default will attempt an unencrypted HTTP connection to the site. Usually, you reach the genuine site, which immediately redirects you to a safe HTTPS connection. But if someone is tracking to hack your device, that first HTTP connection is enough of an opening to hijack your connection.<\/p>\n<p>Some websites protect against this using a complicated security feature known as <a target=\"_blank\" href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Strict-Transport-Security\" >HTTP Strict Transport Security<\/a>, which prevents your browser from ever making an unencrypted request to them, but you can\u2019t always count on this, even for some websites that implement it correctly.<\/p>\n<p>Here are some things you can do to prevent these kinds of attacks:<\/p>\n<ul>\n<li>Always type out https:\/\/ when going to websites.<\/li>\n<li>Bookmark secure (HTTPS) URLs for your favorite sites, and use those instead of typing the domain name directly.<\/li>\n<li>Alternately, use a\u00a0<a target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Virtual_private_network\" >VPN<\/a>\u00a0on both your desktop and mobile devices. A VPN tunnels all connections securely to the VPN server, which then accesses websites on your behalf and relays them back to you. This means that an attacker monitoring your network will likely not be able to perform a successful MITM attack as your connection is encrypted to the VPN \u2014 even if you type a domain directly into your browser without the \u201chttps:\/\/\u201d part.<\/li>\n<\/ul>\n<p>If you use a VPN, keep in mind that your VPN provider has the ability to spy on your internet traffic, so it\u2019s important to pick a trustworthy one. Wirecutter publishes a regularly updated, thorough <a target=\"_blank\" href=\"https:\/\/www.nytimes.com\/wirecutter\/reviews\/best-vpn-service\/\" >comparison of VPN providers<\/a> based on their history of third-party security audits, their privacy and terms of use policies, the security of the VPN technology used, and other factors.<\/p>\n<h3>Zero-Click Exploits<\/h3>\n<p>Unlike infection attempts which require that the target perform some action like clicking a link or opening an attachment, zero-click exploits are so called because they require no interaction from the target. All that is required is for the targeted person to have a particular vulnerable app or operating system installed. Amnesty International\u2019s <a target=\"_blank\" href=\"https:\/\/www.amnesty.org\/en\/latest\/research\/2021\/07\/forensic-methodology-report-how-to-catch-nso-groups-pegasus\/\" >forensic report <\/a>on the recently revealed Pegasus evidence states that some infections were transmitted through zero-click attacks leveraging the Apple Music and iMessage apps.<\/p>\n<\/div>\n<blockquote class=\"Pullquote Pullquote--right\" data-reactid=\"232\">\n<div data-reactid=\"234\"><em><strong>Your device should have the bare minimum of apps that you need.<\/strong><\/em><\/div>\n<\/blockquote>\n<div data-reactid=\"235\">\n<p>This is not the first time NSO Group\u2019s tools have been linked to zero-click attacks. A 2017 <a target=\"_blank\" href=\"https:\/\/cdn2.uvnimg.com\/db\/e1\/9105935b4499804fd3feb1f7f933\/martinelli-complaint.pdf\" >complaint<\/a> against Panama\u2019s former President Ricardo Martinelli states that journalists, political figures, union activists, and civic association leaders were targeted with Pegasus and rogue push notifications delivered to their devices, while in 2019 WhatsApp and Facebook filed a <a target=\"_blank\" href=\"https:\/\/context-cdn.washingtonpost.com\/notes\/prod\/default\/documents\/bf5edf35-5672-49fa-aca1-edefadff683f\/note\/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf\" >complaint<\/a> claiming NSO Group developed malware capable of exploiting a zero-click vulnerability in WhatsApp.<\/p>\n<p>As zero-click vulnerabilities by definition do not require any user interaction, they are the hardest to defend against. But users can reduce their chances of succumbing to these exploits by reducing what is known as their \u201cattack surface\u201d\u00a0and by practicing device compartmentalization. Reducing your attack surface simply means minimizing the possible ways that your device may be infected. Device compartmentalization means spreading your data and apps across multiple devices.<\/p>\n<p>Specifically, users can:<\/p>\n<ul>\n<li>Reduce the number of apps on your phone. The fewer unlocked doors your home has, the fewer opportunities a burglar has to enter; similarly, fewer apps means fewer virtual doors on your phone for an adversary to exploit. Your device should have the bare minimum apps that you need to perform day-to-day function. There are some apps you cannot remove, such as iMessage; in those cases you can often <a target=\"_blank\" href=\"https:\/\/selfsolve.apple.com\/deregister-imessage\/\" >disable<\/a> them, though doing so will also make text messages no longer work on your iPhone.<\/li>\n<li>Regularly audit your installed apps (and their permissions), and remove any that you no longer need. It is safer to remove a seldom-used app and download it again when you actually need it than to let it remain on your phone.<\/li>\n<li>Regularly update both your phone\u2019s operating system and individual apps, since updates close vulnerabilities, <a target=\"_blank\" href=\"https:\/\/www.vice.com\/en_us\/article\/v7gd9b\/facebook-helped-fbi-hack-child-predator-buster-hernandez\" >sometimes even unintentionally<\/a>.<\/li>\n<li>Compartmentalize your remaining apps. If a phone only has WhatsApp installed and is compromised, the hacker will get WhatsApp data, but not other sensitive information like email, calendar, photos, or <a target=\"_blank\" href=\"https:\/\/theintercept.com\/2017\/05\/01\/cybersecurity-for-the-people-how-to-keep-your-chats-truly-private-with-signal\/\" >Signal messages<\/a>.<\/li>\n<li>Even a compartmentalized phone can still be used as a wiretap and a tracking device, so keep devices physically compartmentalized \u2014 that is, leave them in another room, ideally in a <a target=\"_blank\" href=\"https:\/\/www.google.com\/search?tbm=shop&amp;q=tamper+evident+bag\" >tamper bag<\/a>.<\/li>\n<\/ul>\n<h3>Physical Access<\/h3>\n<p>A final way an attacker can infect your phone is by physically interacting with it. According to the brochure, \u201cwhen physical access to the device is an option, the Pegasus agent can be manually injected and installed in less than five minutes\u201d \u2014 though it is unclear if the phone needs to be unlocked or if attackers are able to infect even a PIN-protected phone.<\/p>\n<p>There seem to be no known cases of physically launched Pegasus attacks, though such exploits may be difficult to spot and distinguish from online attacks. Here\u2019s how you can mitigate them:<\/p>\n<ul>\n<li>Always maintain a line of sight\u00a0to your devices. Losing sight of your devices opens the possibility of physical compromise. Obviously there is a difference between a customs agent taking your phone at the airport versus you leaving your laptop behind in a room in your residence when you go to the bathroom, but all involve some risk, and you will have to calibrate your own risk tolerance.<\/li>\n<li>Put your device in a tamper bag when it needs to be left unattended, particularly in riskier locations like hotel rooms. This will not prevent the device from being manipulated but will at the least provide a ready alert that the device has been taken out of the bag and <i>might<\/i> have been tampered with, at which point the device should no longer be used.<\/li>\n<li>Use burner phones and other compartmented devices when entering potentially hostile environments such as government buildings, including embassies and consulates, or when going through border checkpoints.<\/li>\n<\/ul>\n<p>Generally:<\/p>\n<ul>\n<li>Use Amnesty International\u2019s <a target=\"_blank\" href=\"https:\/\/mvt.readthedocs.io\/en\/latest\/index.html\" >Mobile Verification Toolkit<\/a> if you suspect your phone is infected with Pegasus.<\/li>\n<li>Regularly back up important files.<\/li>\n<li>And finally, there\u2019s no harm in regularly <a target=\"_blank\" href=\"https:\/\/support.apple.com\/guide\/iphone\/erase-iphone-iph7a2a9399b\/ios\" >resetting<\/a> your phone.<\/li>\n<\/ul>\n<p>Although Pegasus is a sophisticated piece of spyware, there are tangible steps you can take to minimize the chance that your devices will be infected. There\u2019s no foolproof method to eliminate your risk entirely, but there are definitely things you can do to lower that risk, and there\u2019s certainly no need to resort to the defeatist view that we\u2019re \u201cno match\u201d for Pegasus.<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/theintercept.com\/2021\/07\/27\/pegasus-nso-spyware-security\/?utm_medium=email&amp;utm_source=The%20Intercept%20Newsletter\" >Go to Original &#8211; theintercept.com<\/a><\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>27 Jul 2021 &#8211; Even iPhones were vulnerable to the surveillance software, which appears to have been used against activists, journalists, and others.<\/p>\n","protected":false},"author":4,"featured_media":190489,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[910,1009,550,88,2608,2603,2606,1109,911,461],"class_list":["post-190488","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-in-focus","tag-big-brother","tag-big-tech","tag-corruption","tag-israel","tag-nso","tag-pegasus","tag-pegasus-project","tag-spying","tag-surveillance","tag-technology"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/190488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=190488"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/190488\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media\/190489"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=190488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=190488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=190488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}